Your organization has a choice regarding supplier resilience. You may assume that suppliers have sufficient plans and recovery procedures that will reduce the risk and impacts of disruptions to their operations. Or, you may choose to actively verify supplier resilience.
Either choice is valid so long as it is made overtly and after assessing the relative risks of each choice.
If your organization chooses to hold suppliers accountable for their resilience as a condition of the business relationship, there are policies, standards and processes to implement.
Supplier resilience standards should flow directly from your own resilience objectives. Your supplier compliance standards may need to be implemented in stages consistent with your own and suppliers’ BCM program maturity.
Your dependency analysis, part of your annual business continuity program review, should identify your critical suppliers, all of which should be subject to the resilience compliance program.
When initiating a supplier resilience compliance program, convey the compliance policy to each supplier, secure their formal commitment and integrate compliance in the procurement and contracting process thereafter.
It would be wise to provide a non-disclosure agreement (NDA) because many suppliers may claim their business continuity information is proprietary.
To ensure clarity, provide suppliers with a business continuity plan template and your assessment criteria.
At a minimum, annual reviews of supplier compliance will include:
Conduct supplier resilience assessments using a standardized report card or dashboard that may be used as the basis for collaborating with the supplier to meet resilience requirements. The tool should present findings as briefly and graphically as possible, with specific recommendations. After meeting with the supplier to review results, agree on a deadline for completing corrective actions.
The objective for assessing supplier resilience is to reduce your risk and confirm the supplier will be there for you, or to identify gaps to close or mitigate. Take a collaborative approach to the process.
Ultimately, as your supplier compliance program matures, it will progress from an assessment of suppliers' BCM programs to also measure actual supplier resilience, integrating some of the organizational resilience measures used to assess your own organization. Eventually, compliance may include one or more or your critical suppliers actively participating in your recovery exercises.
The success of a business continuity management program (BCM) in no small measure relies on executive engagement and support. Engagement is vital when initiating a BCM program or introducing an existing program to a new senior executive, and there are ways to achieve this strategic objective.
Organizations need to make BCM programs measurable to enable useful oversight and accountability. Too often, however, measuring BCM becomes unnecessarily complex, time-consuming and onerous, diverting resources and sapping engagement and commitment.